Toolkit Part One: Self-Assessment

This questionnaire will help you to evaluate the current situation in your organisation with regards to managing information and records. It is broken down into five sections for ease of use.

In each box tick the answer that applies to your organisation and use the comment box to outline your reasons or give evidence for your answer. This space can also be used to think about how to identify and mitigate the risk of current practices in areas that you have not developed plans for yet. At the bottom of the box there is space to write down any follow up actions required.

Once you have completed the self-assessment you can collate your follow up actions and these can form the basis of your action plan for implementation and improvement of formal records management policies and plans. The self-assessment has 34 questions and may take 30-45 minutes to complete. 

Section One: Records management function

This section asks you to think about how to make records management part of the structure of your organisation and a specified function within it. This means making sure records management has adequate resources and has people who are responsible for making sure the organisation keeps good records.

Q1: Is records management a specific and formal function within the organisation, with clear objectives?

Action Required? /

Q2: Does the records management function bring together responsibility for records, regardless of format (e.g. paper and digital) from when they are created to when they might need to be disposed of?

Action Required? /

Q3: Does the records management work have sufficient resources (e.g. dedicated staff, storage and budgets) allocated to it?

Action Required? /

Q4: Is there a review mechanism in place to review records management policies and plans, including their objectives and resources, ensuring that they continue to improve and be effective?

Action Required? /

Section Two: Policies

This section invites you to consider what policies you need to put in place to make sure everyone in the organisa- tion knows how to do their part in making sure records are created, well managed during their lifetime, and if appropriate, disposed of.

Q5: Is there a policy statement on records management within the organisation?

Action Required? /

Q6: Is the policy formally endorsed by senior managers and/or trustees within the organisation?

Action Required? /

Q7: Does the policy include reference to other relevant policies and regulatory requirements, such as the Data Protection Act and data security policy?

Action Required? /

Q8: Does the policy specify the roles and responsibilities of those involved in overseeing and carrying out records management activities, including details on how actions and decisions are documented?

Action Required? /

Q9: Does the policy include a retentions schedule, clearly defining which records should be kept long term (after they have passed out of daily use) to reflect the work and decision making of the organisation? Does it cover paper and digital records, and

Action Required? /

Q10: Does the policy define the criteria for disposing of records, outlining how to dispose of records in a secure manner (which is recorded and auditable) and telling the organisation who is responsible for making sure this is done?

Action Required? /

Q11: Are staff, trustees and volunteers aware of the policy, and is it readily available for them to consult?

Action Required? /

Q12: Does the policy cover access to encrypted or password protected material?

Action Required? /

Q13: Does the policy cover correspondence, including emails?

Action Required? /

Q14: Are there procedures in place to review and revise the policy, e.g. every three years or when introducing new technology?

Action Required? /

Section Three: Roles, responsibilities, training and awareness

In order to make sure the organisation has a comprehensive plan for managing its records, different people in the organisation will need to be involved. Senior management and trustees will have a key role in making sure the organisation takes records management seriously. In larger organisations, it will be necessary to make sure there are skilled records management positions. In smaller organisations, this work may be part of a role with other responsibilities. In either case, support will be needed.

All staff will have a role to play in knowing what to do with the records they create and use. Organisations may also wish to give responsibility for managing records and championing good practice to someone within each unit, department or directorate of the organisation.

Q15: Is there a designated senior manager or trustee with responsibility for overseeing records management throughout the organisation?

Action Required? /

Q16: Have individuals been identified to implement the records management policy and procedures?

Action Required? /

Q17: Has secure and suitable storage (including that required for digital records) for records management work been identified?

Action Required? /

Q18: Do the job descriptions and training of staff doing records management work reflect the duties and skills required for this work?

Action Required? /

Q19: Does induction training for staff, trustees and volunteers include awareness of how they should create, use and preserve records on a day-to-day basis, including email where appropriate?

Action Required? /

Q20: Are there processes in place to co-ordinate and review the work, training and support of those doing records management?

Action Required? /

Section Four: Systems for creating and keeping records

Establishing a new records management system will take time, but it has clear benefits for the organisation in the form of efficiency and demonstrating regulatory compliance. Once you have determined the policy needed and resources required, it is time to consider how a records management system will be implemented and maintained.

What you keep, how and where is up to you to decide and will depend on the size of the organisation and the resources available. It may be worth investing in an Electronic Records Management (ERM) system or you may find it easier to arrange things yourselves.

In the process of determining what to retain, it is vital to think about the larger regulatory environment. For charities, it is especially important both to demonstrate good governance and to possess an auditable trail of evidence that shows how decisions were made. For example, robust records management processes and procedures will help you to understand if your organisation is creating and retaining records that would be required if you were subject to an inquiry by the Charity Commission, Information Commissioner’s Office, or Fundraising Regulator. This section helps you think about the activities involved in records management.

Q21: Has the organisation carried out an audit or survey to identify the paper and digital records it currently has?

Action Required? /

Q22: Have records been arranged according to a classification scheme, index or catalogue which reflects the functions of the organisation? Have end users been consulted about this scheme?

Action Required? /

Q23: Are records appropriately titled, and is metadata collected to allow for easy searching? E.g. metadata might include dates of records (needed for disposal policies), links between records of different formats or from different departments

Action Required? /

Q24: Has the data owner or data subject been identified where this is not the organisation?

Action Required? /

Q25: Is there a system for filing correspondence, including emails?

Action Required? /

Q26: Have records which need to be restricted (such as those containing personal data) been identified and is clear guidance given about who can access them?

Action Required? /

Q27: Does the records management system take into account legislation and regulation that your organisations has to abide by? E.g. from the Charity Commission, Fundraising Regulator etc.

Action Required? /

Q28: Is there a system for review, monitoring and feedback to see how well the system is working and if people are using it correctly?

Action Required? /

Section Five: Records maintenance and disposal

In drawing up your records management policies and plans you will need to think about records that you might need to dispose of, or indeed those that merit permanent preservation. Keeping some records permanently is vital for good governance and business continuity. However, there are also records that can be securely disposed of once they pass out of use, have been kept for the period required (e.g. accounting requirements to keep some records for seven years) or for data protection reasons.

In this section, the self-assessment tool asks you to think about maintaining and preserving records that you need to keep long term, deciding what to dispose of and making sure this is done in a secure and auditable way.

Q29: Does the organisation’s business continuity or disaster management plan include records maintenance?

Action Required? /

Q30: Are there safeguards to prevent fraudulent amendments to records?

Action Required? /

Q31: Is there a process for identifying records that are at risk of loss due to software/hardware obsolescence and migrating them?

Action Required? /

Q32: Where records merit permanent preservation are there processes to identify and store them, including provision for third party deposit where appropriate?

Action Required? /

Q33: Do you have a retentions and disposal schedule (for identifying what records need to be kept and for how long)?

Action Required? /

Q34: Is there a process for disposing of records that is a) secure, b) timely and c) leaves an auditable record of what has been disposed of?

Action Required? /

Next